The evolving threat landscape. Ransomware. Criminal hackers. Nation states and organized crime. We hear about all of these "things" that are working against us in terms of security. Challenges, no doubt. However, we must look in the mirror and reflect inward to see that security is not just about external factors. It's also about us. That is, human decisions and habits and their relationship to where things stand in terms of IT risk.

Think about it. As recently as 20 years ago, people were going into the office to access their computers and information assets. When they left, that was it. Work stayed at "work." The network was secure. Everything was locked down. Fewer threats in terms of malware existed on the endpoints. Mobile, as we know it today, was more of a thing of the future. Most of the areas we struggle to protect in IT today were much more locked down and secure not that long ago.

Of course, business evolves, and technology matures. That introduces risks. But at the root of many of our security challenges is human behavior. Network users see that they can get work done wherever they're located. Most people, when presented with new work, are eager to get it knocked out, now.

Behind this is the desire for instant gratification. It's natural to see something come in — something that's new, shiny, and sexy — and want to immediately address it. Getting things off our to-do lists provides a level of satisfaction in getting things done. Even for things that weren't on our to-do lists just a couple of minutes ago, we see emails, texts and business that must be addressed. We often get started on it right away thanks to the payoff associated with checking things off of lists. Of course, there's also an expectation on the part of other people for us to get those things done. All of these wants and needs have a definitive role in the organization's overall security posture.

The question becomes: what are you doing about it? Are your IT and security processes keeping up? Instead of just addressing the daily fires and working on the shorter-term projects that must be completed, are you stepping back and looking at the bigger picture of how human behavior is changing IT and introducing new business risks? The older I get, the more I realize how many years have passed in doing what I do. I have this conversation with many clients and colleagues. It's always surprising to think back at how long we've been doing something, especially at the same organization.

There's a lot of bigger picture security stuff that tends to get put off. The assumption is things can be addressed down the road when there's more time — or when the timing is better. There's also the politician approach of kicking the can down the road and hoping that someone else can fix what needs to be addressed. These are dangerous tactics that set a poor precedent for long-term security. You must start today looking at how business processes and employee behaviors have evolved and are evolving.

The time is going to pass anyway. Why not start evaluating what needs to be done based on how the business has changed in recent months or years and have those discussions with your peers, your users, and your executives? There are decisions and habits that aren't necessarily impacting security today, but they likely will in the future. Now’s the time to start tweaking your own security habits so you’re your program can accommodate long term.